From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: libidn security update patch
Date: Fri, 2 Sep 2016 02:41:36 -0400
Message-ID: <20160902064136.GA14384@jasmine>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="f2QGlHpHGjS2mn6Y"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:60156)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1bfiAd-0000PQ-F5
	for guix-devel@gnu.org; Fri, 02 Sep 2016 02:41:48 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1bfiAa-0004IR-9e
	for guix-devel@gnu.org; Fri, 02 Sep 2016 02:41:47 -0400
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:49051)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1bfiAZ-0004HM-2b
	for guix-devel@gnu.org; Fri, 02 Sep 2016 02:41:44 -0400
Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148])
	by mail.messagingengine.com (Postfix) with ESMTPA id 30ACDF29D4
	for <guix-devel@gnu.org>; Fri,  2 Sep 2016 02:41:37 -0400 (EDT)
Content-Disposition: inline
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org


--f2QGlHpHGjS2mn6Y
Content-Type: multipart/mixed; boundary="pWyiEgJYm5f9v55/"
Content-Disposition: inline


--pWyiEgJYm5f9v55/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

... and the patch.

--pWyiEgJYm5f9v55/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="0001-gnu-libidn-Replace-with-1.33-fixes-CVE-2015-8948-and.patch"
Content-Transfer-Encoding: quoted-printable

=46rom 217f444aa56ec292ddfaacfabcbb6ddea8d1f262 Mon Sep 17 00:00:00 2001
=46rom: Leo Famulari <leo@famulari.name>
Date: Fri, 2 Sep 2016 02:11:49 -0400
Subject: [PATCH] gnu: libidn: Replace with 1.33 [fixes CVE-2015-8948 and
 CVE-2016-{6261,6263}].

* gnu/packages/libidn.scm (libidn)[replacement]: New field.
(libidn-1.33): New variable.
---
 gnu/packages/libidn.scm | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/gnu/packages/libidn.scm b/gnu/packages/libidn.scm
index 053565c..432c1fe 100644
--- a/gnu/packages/libidn.scm
+++ b/gnu/packages/libidn.scm
@@ -27,6 +27,7 @@
 (define-public libidn
   (package
    (name "libidn")
+   (replacement libidn-1.33)
    (version "1.32")
    (source (origin
             (method url-fetch)
@@ -45,3 +46,16 @@ names.  It includes native C, C# and Java libraries.")
    ;; the command line tool is gpl3+.
    (license (list gpl2+ gpl3+ lgpl3+ fdl1.3+))
    (home-page "http://www.gnu.org/software/libidn/")))
+
+(define libidn-1.33
+  (package
+    (inherit libidn)
+    (source
+      (let ((version "1.33"))
+        (origin
+          (method url-fetch)
+          (uri (string-append "mirror://gnu/libidn/libidn-" version
+                              ".tar.gz"))
+          (sha256
+           (base32
+            "068fjg2arlppjqqpzd714n1lf6gxkpac9v5yyvp1qwmv6nvam9s4")))))))
--=20
2.9.3


--pWyiEgJYm5f9v55/--

--f2QGlHpHGjS2mn6Y
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXyR8gAAoJECZG+jC6yn8IlIYP/R2OdqOXqcGhmjXQttAUW+4N
hhZgdaUI4fAGgRzNo6evKzPM6/mOAYX6wHFKPu6maps7xK/oXtzHz47l19WpJqDi
uZQIZwskA7EzUbucJlWC623KnGgrna4nLXulqMCY7c117eDdtSE09aKnWhrgCNig
dvOyyii8KJFzaVWfNvhtNqlJwJInsd2wtzkYVKfk4YB6CcP2npu7A1ZcuTnfLmeW
kTiEe387ykY1tNj9RugKthDTyrlTv7WQex2B/Ta3G9jbQAjeqnGIQbjQ84E78ab+
jakKpXnXkajm800P4OwqJxbyy3irtBzL7oIbj1xpHI0ZkqIE5U952kbbsIHD3W3n
Rhph3p5/hi2nh4CisU+fF8+uY/OlFonGATnGRKU2bQzMwOTxdAIqaLO7sQhqSxQY
ze39oNSW8T3LUZwSS2OZNcr53lQh8V2EOGAYj/bjtFaeTdCJQcx5w2GTnGpJ9e1A
Z/qm2MW2Ln4kNesbEEUq3RHWebxDv2hx4Rij4FIZvQA/S7//d9cyDJv/1fbQS5l5
5Y/rUoUBdchOKJ45khqaVe5Y4xxsgU+jN1cXsUF4RDD2j264lKBGPjjOtDbIP9UN
keX+AfbAEDs4uFPdN9bpOlmAoonQg8y2oOX2HlAstOZYjQDceVwIasALhmu2nZTO
h7oaoVeNqi6kPlry9bva
=XiM1
-----END PGP SIGNATURE-----

--f2QGlHpHGjS2mn6Y--